CVE-2026-59203
Python Analisi e mitigazione delle vulnerabilità

Panoramica

CVE-2026-59203 is a denial-of-service vulnerability in Pillow's EPS image parser that allows an unauthenticated attacker to cause an infinite loop by supplying a crafted EPS file with a negative byte count in the %%BeginBinary directive. It affects Pillow versions 12.0.0 through 12.2.0 (inclusive), and was fixed in version 12.3.0. The vulnerability was published on July 14, 2026, with the fix merged on June 22, 2026. It carries a CVSS v3.1 base score of 7.5 (High) per NVD, or 5.3 (Medium) per the GitHub Security Advisory (GitHub Advisory).

Dettagli tecnici

The root cause is a missing non-negativity check on the byte count parsed from the %%BeginBinary: directive in PIL/EpsImagePlugin.py (CWE-835: Loop with Unreachable Exit Condition). When Pillow reads the byte count, it passes the value directly to self.fp.seek(bytecount, os.SEEK_CUR) without validating that it is non-negative. A crafted EPS file containing %%BeginBinary:-18 causes the file pointer to seek backwards to the same directive line, which is then re-parsed indefinitely. The loop is triggered during Image.open() alone — it does not require Image.load() or Ghostscript execution — making it exploitable in any code path that opens or validates EPS files. The fix (PR #9708, commit 0399261) adds a check that raises a ValueError with the message "BeginBinary bytecount cannot be negative" if the parsed value is less than zero (GitHub Advisory, Fix Commit).

Impatto

Successful exploitation causes the affected Python process to hang indefinitely in an infinite loop, consuming 100% CPU and rendering the application unresponsive — a complete availability denial of service. There is no impact on confidentiality or integrity. Web services, API backends, and batch image processing pipelines that accept user-supplied EPS files and pass them to Image.open() are particularly at risk, especially if image parsing runs in a main worker process without CPU time limits, timeouts, or process isolation (GitHub Advisory).

Passaggi di sfruttamento

  1. Craft the malicious EPS file: Create a file named pillow_eps_beginbinary_dos.eps with the following content:
%!PS-Adobe-3.0 EPSF-3.0
%%BoundingBox: 0 0 1 1
%%EndComments
% dummy comment after transition
%%BeginBinary:-18
%%EOF

The key payload is %%BeginBinary:-18, which specifies a negative byte count of -18.

  1. Identify a vulnerable target: Locate an application or service using Pillow 12.0.0–12.2.0 that accepts EPS image uploads or processes user-supplied image files (e.g., image validation endpoints, thumbnail generators, document converters).

  2. Deliver the malicious file: Submit the crafted EPS file to the target application via its file upload interface, API endpoint, or any other mechanism that causes the application to call Image.open() on the file.

  3. Trigger the infinite loop: When the application calls Image.open("pillow_eps_beginbinary_dos.eps"), the EPS parser reads %%BeginBinary:-18, seeks the file pointer backwards by 18 bytes to the same directive, and re-parses it indefinitely. The process hangs and consumes 100% CPU, causing a denial of service (GitHub Advisory).

Indicatori di compromesso

  • Process: Python worker processes consuming sustained 100% CPU without completing, particularly those handling image uploads or processing tasks; processes that never return from Image.open() calls on EPS files.
  • Logs: Application logs showing EPS image open requests that never complete or time out; absence of completion log entries for image processing jobs that accepted EPS input.
  • File System: Presence of EPS files containing the string %%BeginBinary:- followed by a negative integer in upload directories or temporary processing folders.
  • Network: Repeated or sustained HTTP requests to image upload/processing endpoints that do not receive a response, potentially indicating a hung worker.

Mitigazione e soluzioni alternative

The primary remediation is to upgrade Pillow to version 12.3.0 or later, which raises a ValueError for negative %%BeginBinary byte counts (Pillow Release 12.3.0). If immediate patching is not possible, restrict or block processing of EPS files from untrusted sources, implement file type validation before passing files to Image.open(), and enforce CPU time limits or process timeouts on image parsing workers to bound the impact of exploitation (GitHub Advisory).

Risorse aggiuntive


FonteQuesto report è stato generato utilizzando l'intelligenza artificiale

Imparentato Python Vulnerabilità:

CVE ID

Severità

Punteggio

Tecnologie

Nome del componente

Exploit CISA KEV

Ha la correzione

Data di pubblicazione

GHSA-r3hx-x5rh-p9vvHIGH8.7
  • Python logoPython
  • django-haystack
NoJul 15, 2026
CVE-2026-54457HIGH7.7
  • Python logoPython
  • tensorzero
NoJul 15, 2026
CVE-2026-50271HIGH7.5
  • Python logoPython
  • ddtrace
NoJul 15, 2026
CVE-2026-54254MEDIUM6.9
  • Python logoPython
  • cyberdrop-dl-patched
NoJul 15, 2026
CVE-2026-53656MEDIUM6.3
  • Python logoPython
  • fiftyone
NoJul 15, 2026

Valutazione gratuita delle vulnerabilità

Benchmark della tua posizione di sicurezza del cloud

Valuta le tue pratiche di sicurezza cloud in 9 domini di sicurezza per confrontare il tuo livello di rischio e identificare le lacune nelle tue difese.

Richiedi valutazione

Richiedi una demo personalizzata

Pronti a vedere Wiz in azione?

"La migliore esperienza utente che abbia mai visto offre piena visibilità ai carichi di lavoro cloud."
David EstlickCISO (CISO)
"Wiz fornisce un unico pannello di controllo per vedere cosa sta succedendo nei nostri ambienti cloud."
Adam FletcherResponsabile della sicurezza
"Sappiamo che se Wiz identifica qualcosa come critico, in realtà lo è."
Greg PoniatowskiResponsabile della gestione delle minacce e delle vulnerabilità